Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1755.2 [DSA 4687-1] exim4 security update 19 May 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: exim4 Publisher: Debian Operating System: Debian GNU/Linux 9 Debian GNU/Linux 10 Linux variants Impact/Access: Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-12783 Original Bulletin: http://www.debian.org/security/2020/dsa-4687 https://www.debian.org/lts/security/2020/dla-2213 https://lists.debian.org/debian-lts-announce/2020/05/msg00017.html Comment: This bulletin contains two (2) Debian security advisories. This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running exim4 check for an updated version of the software for their operating system. Revision History: May 19 2020: Vendor released associated DLA notification May 18 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4687-1 security@debian.org https://www.debian.org/security/ Florian Weimer May 16, 2020 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : exim4 CVE ID : CVE-2020-12783 It was discovered that exim4, a mail transport agent, suffers from a authentication bypass vulnerability in the spa authentication driver. The spa authentication driver is not enabled by default. For the oldstable distribution (stretch), this problem has been fixed in version 4.89-2+deb9u7. For the stable distribution (buster), this problem has been fixed in version 4.92-8+deb10u4. We recommend that you upgrade your exim4 packages. For the detailed security status of exim4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/exim4 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEyNPZz/qecFY/MvpUv3v/BALVJL4FAl6/+lkACgkQv3v/BALV JL7otgf/dCYVSP74dtG8O2FOuEbd+N2839eJUDvyP4ARrDzXDFOAfnL42D3PGWPB 9l4dVMOkiW3OD5sOQx6AB50Nc3tW1eH3cLxvjFUz0GmSQhyKscJagcI/xXTnyb8n TKeXGaSrDrlPJ7/tDBo/eh0O9atJUIry1+3lkXXs7m7ie+8CjcqRA6pN1ahfLJE1 ETCBQQknCuimK4piNXgKkWwuxLPJ/9t3goHISHziXbee5gyOEjEJ8MVVugFya968 YklONOy0dk2EOOrWYno8dhNBWhrTfpqAOQ1LCErjOohgAswm66ogBJPlLcRB6oRX GzevhwyM2O32/tQz0Ei8pKi11ldTLA== =rzOJ - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- [DLA 2213-1] exim4 security update Package : exim4 Version : 4.84.2-2+deb8u7 CVE ID : CVE-2020-12783 It was discovered that exim4, a mail transport agent, suffers from a authentication bypass vulnerability in the spa authentication driver. The spa authentication driver is not enabled by default. For Debian 8 "Jessie", this problem has been fixed in version 4.84.2-2+deb8u7. We recommend that you upgrade your exim4 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXsMS6uNLKJtyKPYoAQioWA/+PC/aQCuWMp4hsMClOvO+JcgG6pZCaC5d E0BtCeZJQRtM3L50ZxtmD5d/0RG00cnKZ12Kp4dhRRO7/Su6Lc3hsnyp9NmVFvOz SH4+PFF7OIkyj/0jTSlBgM489WVMIo13hrJMb4Mn7gSR26raK9oerfE1bqsGTLHq 2Jxhps+cUj6RnAzaZHzBPAep+p0LCzsYbyz71sl/nMNOj84LtoHYnbrPtiNJM0aW FJOfPQFDbXe1b1epdbUyq052lRX4w75Iv85Q1rKpDvzXtiriR91cwDdFa+anVkBH 3VYiD9CVZjPZ3Lu+kn4Q5THMLZZpmCvbt5PTF79nDE6V6sH7ohD28DLC8aiNpYCm lJP69wSoEJmQ51EAWnm5A3NJY2ToUFmtnHWYnR/wblZaCo9xOJRkOGwFMn1YhAvv akP3SVJRTiTajPck77y6LZrct2AaGZwPaFUc0YBmAIAG0gWs/lXH8Qk2G8idTy0d 5U6LsoAv0TvBJ3kChOXzdKqCLe9q+O2QPShWCK2B3/nFv0iPdSeZr44EPhfsN9CN JPyExuHc5JMJjH4l7OweQKo35P8IDSRZR2aSpTTcBveOHClxe3+hDddBsRCOHvqu TUjOXMI4A6ksbLYKQ3QKkspb93lYJ2V/Y2ArWzVAnb1tsRCs8r8TjwAkKrOk1yAi LsZ2N/1VhVM= =/FPU -----END PGP SIGNATURE-----